Email notifications customization not working

Hello everyone,
First and foremost i am not a systems or developer kind of person. I do my best to read documentation and apply my understanding.
I have several systems that i am overlooking. I am using GrayLog as my central logging server. All logs from all systems get sent here and parsed as needed.
What i am not understanding is the email customization piece. I read the documentation and it just doesnt make sense to me.
I just want certain fields show up in my notification. Thats it.

Example is the backlog message i receive from my firewall.

{index=pfsense_179, message=sshd[36980]: Accepted password for admin from 192.168.50.241 port 65166 ssh2, fields={gl2_accounted_message_size=337, level=6, full_message=<38>Jan 27 19:01:01 sshd[36980]: Accepted password for admin from 192.168.50.241 port 65166 ssh2, gl2_remote_ip=192.168.50.254, gl2_remote_port=514, facility_num=4, gl2_message_id=01GQTTTTRKX4X4QMB424S93Z0V, gl2_source_node=81b4adce-5627-4ee5-a7eb-24daf5c50e9c, gl2_source_input=62e9dd37d226cc3e41bc8d75, facility=security/authorization}, id=d9a7d631-9e9e-11ed-877b-62ad25012329, source=sshd[36980]:, timestamp=2023-01-27T19:01:01.000-05:00, stream_ids=[000000000000000000000001, 62e9b172734e1d1f91cca73b]}

If im understanding the documetnation correctly, i should be able to pluck out from that message fields that i want shown. So for example.
timestamp=
full_message=

Should be simple enough i think. So i go into the event notification

${if backlog}
--- [Backlog] ------------------------------------
Last messages accounting for this alert:
${foreach backlog message}
Login Alert:  ${message.fields.full_message}
Timestamp: ${message.fields.timestamp}

Tested a few times and this just doesnt work. I get the same garbled message thats not formatted to my liking.

@michmoor0725

Thanks for asking the community! As you’ll see, our peer-to-peer support is awesomely active and you’ll receive recommendations and suggestions from practitioners like you.

If I’m reading your question correctly. this is my response. Keep in mind that this is based on the v5.0 documentation (not sure what version you’re using). I hope this helps get you started on finding the solution that makes sense to you.

To ensure the “timestamp” and “full_message” fields show up in your email notifications, you’ll need to modify the email notification template. The template is written using a syntax called Handlebars, which allows you to include data from a message in the email.

Here’s a corrected version of your template:

— [Backlog] ------------------------------------
Last messages accounting for this alert:

${foreach backlog message}
Login Alert: ${message.fields.full_message}
Timestamp: ${message.message.timestamp}

${end}

--- [Backlog] ------------------------------------
Last messages accounting for this alert:

${foreach backlog message}
Login Alert:  ${message.fields.full_message}
Timestamp: ${message.message.timestamp}

${end}

In this template, ${foreach backlog message} will repeat the block of code for each message in the backlog. The fields full_message and timestamp are then accessed with message.fields.full_message and message.timestamp, respectively.

Look forward to other members’ responses, too! We’ll help you find the answer!

Hey @michmoor0725

Think I understand your Question, Correct me if I’m wrong.
You want to use the Notifcation template to get separate fields in your Email.

Example:

Windows System has been shutdown by a process/user" Notification

--- [Event Definition] ---------------------------
Title:       ${event_definition_title}
Description: ${event_definition_description}
Type:        ${event_definition_type}
--- [Event] --------------------------------------
Timestamp:            ${event.timestamp}
Message:              ${event.message}
Source:               ${event.source}
Key:                  ${event.key}
Priority:             ${event.priority}
Alert:                ${event.alert}
Timestamp Processing: ${event.timestamp}
Timerange Start:      ${event.timerange_start}
Timerange End:        ${event.timerange_end}
Fields:
${foreach event.fields field}  ${field.key}: ${field.value}
${end}
${if backlog}
--- [Backlog] ------------------------------------
Last messages accounting for this alert:
${foreach backlog message}
${message.fields.TargetUserName}
${message.fields.WorkstationName}
${message.fields.EventReceivedTime}
${message.fields.source}
Message Link: https://graylog.domain.com:9000/messages/${message.index}/${message.id}
${end}
${end}

So what I have is, the fields called TargetUserName, WorkstationName, EventReceivedTime,source. only that info will be sent

Also, I have a URL that will take you to the Message.

Message Link: https://graylog.domain.com:9000/messages/${message.index}/${message.id}

You needs to have these fields created prior to configuring the notification, the source field should be there already as shopwn below:

These Fields were created by using GELF TCP/TLS but some device will not be able to use GELF type for an input.
If this is the case then probably the easiest way would to use. Extractor or GROK.Then maybe later start using pipeline.

For example here is a REGEX extrator to get traffic type from my firewall logs

Hope that helps

EDIT: @michmoor0725
I forgot to mention the notification template you posted the timestamp section is incorrect. should be something like this…

This is just the bottom part of the notification template shown.

Fields:
${foreach event.fields field}  ${field.key}: ${field.value}
${end}
${if backlog}
--- [Backlog] ------------------------------------
Last messages accounting for this alert:
${foreach backlog message}
Login Alert: ${message.fields.full_message}
Timestamp: ${message.timestamp}
useradded: ${message.fields.useradded}
${end}
${end}

Results:

1 Like

Following up to this, apologies for the late response.
I managed to update the HTML body of the message.

The crucial part of what i needed in each email is the following:
${foreach backlog message}

Alerting Message: ${message.fields.full_message} Reporting Firewall: ${message.fields.gl2_remote_ip}

This was a lot harder than it needed to be. I see a few posts from other users asking for something similar. We get a syslog message but how do we grab just the things we need and need to be presented? Documentation isn’t clear/good on if the event definition needs to be changed or html body. I found the latter to be easier.

@dscryber Thanks for your input. Thats exactly what i ended up doing. Again, maybe its me not understanding but the documentation isnt clear on how to customize an email message. This was actually the most difficult portion of my graylog setup to get right.

2 Likes

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.